Hello,

Lighthouse gives me a warning :
No CSP found in compliance mode.

Should I add
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';"

in my .htaccess file ?

There is a http_security_header plugin included you can set such headers.

This http_security_header plugin seems really great. I do not know why I have not tried it before.
I will read the 22 pages (plugin links) to fully understand how to use it.
Thank you acrylian.

In practice you mostly need a few things. A lot it provides is rather advanced to setup and can even cause problems on your site if set wrong.

What settings would you suggest ?
Zemphoto users could also be interested.
You could add your suggestions in your online manual pages !

On our own site we only have Content Security Policy, XSS-Protection and Referrer Policy = Same Origin enabled.

I really cannot recommend any standard setting as this is not ZP specific and depends. As you noticed there are docs linked for more info.